PLEASE NOTE: I HAVE PERMANENTLY MOVED MY BLOG TO http://www.rationalsurvivability.com/blog

August 19, 2007

Hot on the trails of becoming gigagillionaires, the folks at VMware make my day with this. Congrats to the folks @ Determina.

Methinks that for the virtualization world, it's a very, very good thing. A step in the right direction.

I'm going to prognosticate that this means that Citrix will buy Blue Lane or Virtual Iron next (see bottom of the post) since their acquisition of XenSource leaves them with the exact same problem that this acquisition for VMware tries to solve:

...the security of virtualized
environments has been something of an unknown quantity due to the
complexity of the technology and the ways in which hypervisors interact
with the host OS. Determina's technology is designed specifically to protect the OS
from malicious code, regardless of the origin of the attack, so it
would seem to be a sensible fit for VMware, analysts say.

In his analysis of the deal, Gartner's MacDonald sounded many of
the same notes. "By potentially integrating Memory Firewall into the
ESX hypervisor, the hypervisor itself can provide an additional level
of protection against intrusions. We also believe the memory protection
will be extended to guest OSs as well: VMware's extensive use of binary
emulation for virtualization puts the ESX hypervisor in an advantageous
position to exploit this style of protection," he wrote.

I've spoken a lot recently about how much I've been dreading the notion that security was doomed to repeat itself with the accelerated take off of server virtualization since we haven't solved many of the most basic security problem classes. Malicious code is getting more targeted and more intelligent and when you combine an emerging market using hot technology without an appropriate level of security... Basically, my concerns have stemmed from the observation that if we can't do a decent job protecting physically-seperate yet interconnected network elements with all the security fu we have, what's going to happen when the "...network is the computer" (or vice versa.) Just search for "virtualization" via the Lijit Widget above for more posts on this...

Some options for securing virtualized guest OS's in a VM are pretty straight foward:

Continue to deploy layered virtualized security services across VLAN segments of which each VM is a member (via IPS's, routers, switches, UTM devices...)

Deploy software like Virtual Iron's which looks like a third party vSwitch IPS on each VM

Integrate something like Blue Lane's ESX plugin-in which interacts with and at the VMM level

As chipset level security improves, enable it

Deploy HIPS as part of every guest OS.

Each of these approaches has its own sets of pros and cons, and quite honestly, we'll probably see people doing all five at the same time...layered defense-in-depth. Ugh.

What was really annoying to me, however, is that it really seemed that in many cases, the VM solution providers were again expecting that we'd just be forced to bolt security ON TO our VM environments instead of BAKING IT IN. This was looking like a sad reality.

I'll get into details in another post about Determina's solution, but I am encouraged by VMware's acquisition of a security company which will be integrated into their underlying solution set. I don't think it's a panacea, but quite honestly, the roadmap for solving these sorts of problems were blowing in the wind for VMware up until this point.

"Further, by
using the LiveShield capabilities, the ESX hypervisor could be used
'introspectively' to shield the hypervisor and guest OSs from attacks
on known vulnerabilities in situations where these have not yet been
patched. Both Determina technologies are fairly OS- and
application-neutral, providing VMware with an easy way to protect ESX
as well as Linux- and Windows-based guest OSs."

Quite honestly, I hoped they would have bought Blue Lane since the ESX Hypervisor is now going to be a crowded space for them...

We'll see how well this gets integrated, but I smiled when I read this.